Sectigo (formerly Comodo) Time Stamping Service Expiration – What to Know and What to Do

Modified on: Mon, May 20, 2019 at 3:42 PM

If you use your Comodo Code Signing Certificate to sign Java code, please read this article carefully. (If you don’t sign Java code with your certificate, you can ignore this article.)

On Wednesday, May 8th 2019 we received a notification from Sectigo (formerly Comodo CA) that one of their timestamping certificates that work in conjunction with Code Signing Certificates will be expiring on July 9th, 2019. Java code signed with the Comodo/Sectigo time stamping service at timestamp.comodo.com may be affected if it is signed with the time stamping certificate that expires on July 9, 2019.

This expiration is a regular, anticipated occurrence, and this Article outlines the steps you’ll need to take to avoid any interruption in service.

Code Signing and Timestamping

Not all software distributors who sign code choose to timestamp it, so the expiration of this certificate will only impact those who have timestamped their signed code.

Timestamping paired with code signing establishes a point in time in which an object (such as a software executable) existed, was signed by a certificate which was valid at the time, and has not been changed since that time.

In Java, the application checks the validity of both the code signing and timestamping certificates. As long as one of the two is still valid, the signed application will be trusted. Timestamped code will remain trusted long after the code signing certificate used to sign it has expired, because timestamping certificates have a much longer lifespan than code signing certificates. But timestamping certificates do still expire, which is what is happening here.

The timestamping certificate that is expiring on July 9th 2019 is associated with timestamp.comodoca.com. As of March 4th, 2019, it was replaced with the new certificate timestamp.sectigo.com. Any code timestamped after March 4th, 2019 will have this new certificate and no action needs to be taken on them.

How to determine if you’re impacted

Java is the only platform that will be impacted by this certificate expiration. If you are using Windows or other applications to sign your code, you are not impacted by this expiration. Any code signing certificate issued by Sectigo (Comodo) before March 4th, 2019 (including EV certificates) can be affected by this expiration if they’re being used in a Java environment.

You can refer to the flow chart below to easily determine of you need to take any action before the expiration.

You can check the status of both certificates (time stamping and code signing) by running the following command:

jar verified.
Warning:
The timestamp will expire within one year on 2019-07-09. However, the JAR will be valid until the signer certificate expires on 2020-05-30.
Re-run with the -verbose and -certs options for more details.

As long as the output message includes “jar verified,” the application is currently running without issue.

In the example above, the timestamp being used is the one that will be expiring (2019-07-09), but the code signing certificate itself doesn’t expire until May 30th, 2020. In the above case, this code would still be trusted and will just need to be re-signed any time before the actual code signing certificate expires.

FAQ

Q: Why is this happening?

A: A timestamping certificate used with Sectigo (Comodo) code signing certificates expires on July 9, 2019. This is a regular anticipated occurrence as timestamping certificates have a longer lifespan than code signing certificates, but they do still have an end-of-life date.

Q: How do I know if I’m affected?

A: Refer to our handy flow-chart above. Only signed applications meeting the following criteria are affected:

The application is signed in Java.

The application was signed AND timestamped.

The application has a timestamp from timestamp.comodoca.com.

The time stamp was signed by a certificate that expires on July 9, 2019.

Q: Ok, I’m affected, what do I do?

A: If your code signing certificate is not expired yet, just re-sign your code any time before it expires. If you’re code signing certificate is already expired, renew or replace it and re-sign your code.

Q: What will happen if I don’t re-sign my code in time?

A: Users or processes using your application may experience issues after July 9th, 2019